Some bizarre results on calculations for Certificate validity in EJBCA 7.9.0.2 #109

arshadnoor · 2022-09-13T03:15:55Z

arshadnoor
Sep 13, 2022

I'm trying to create a Root CA where the certificate never expires (Validity until 12/31/9999 23:59:59 UTC). (Lets not get into the why, - this is a business requirement).

When testing this with software only, on multiple times with the same underlying components (OS-Database-AppServer-EJBCA), there has been no problem - see example below.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            07:32:36:cb:a0:8d:a1:a0:99:45:24:a5:c1:da:74:61:17:95:37:bc
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = StrongKey Test Root CA
        Validity
            Not Before: Aug 17 00:11:56 2022 GMT
>>>>>>>>>>  Not After : Dec 31 23:59:59 9999 GMT    <<<<<<<<<<
  ...

However, when using the HSM, EJBCA is unable to create such a certificate, Admin GUI shows me this error message:

org.cesecore.certificates.ca.CAOfflineException: CA StrongKeyTestRootCA 1378690767 is not active. CRL can not be created. Status is 3.

From Wildfly log files, even though I see a PEM file, OpenSSL fails to display the contents when it reaches the certificate end-date. I've had to use ASN1 parsing to print the content below.

    0:d=0  hl=4 l= 432 cons: SEQUENCE
    4:d=1  hl=4 l= 341 cons: SEQUENCE
    8:d=2  hl=2 l=   3 cons: cont [ 0 ]
   10:d=3  hl=2 l=   1 prim: INTEGER           :02

  ...

   83:d=2  hl=2 l=  33 cons: SEQUENCE
   85:d=3  hl=2 l=  13 prim: UTCTIME           :220913000721Z
  100:d=3  hl=2 l=  16 prim: GENERALIZEDTIME   :100000101065959Z    <<<<<<<<<<

  ...

The log messages seem to indicate this "work-in-progress" certificate has expired:

"...expiretime=Wed Dec 31 16:00:00 PST 1969..."

and the log-entry :

[org.cesecore.certificates.ca.CaSessionBean] (default task-2) CA CN=StrongKey Test Root CA has expired. certificate expired on 100000101065959GMT+00:00

As you can see, that is the date in the ASN1 parsed output. According to some websites, the value there should have been some value around 253402329599.

What is causing this? I've asked the HSM company the same question (waiting for their response), but I suspect this is being calculated within EJBCA. But, why now/suddenly when the same versions without the HSM did not produce this problem more than a few times before?

And, strangely, I get the same error now if I try to create the certificate using a Soft token after the error surfaces the first time when trying to use the HSM. Restarting Wildfly, MariaDB - or even the computer - cannot generate a CA certificate for that identifier or DN for 30Y or 100Y durations.